Data Processing and Security Exhibit

This Data Processing and Security Exhibit (“Exhibit”) supplements your Agreement regarding your access to and use of any of COMPLY’s SaaS and/or Professional Services offerings, as applicable, and sets forth the confidentiality, non-disclosure and security requirements for Private Information subject to Applicable Data Protection Law.

As used herein, the terms “you” and “your” refer to the legal entity represented on your Order Schedule, or any other ordering document accepted by us for your order of our Services (each an “Order Schedule”).  Further, any references to terms such as “we,” “our,” “us,” “ComplySci” and “COMPLY” will mean the COMPLY™ entity described in your Agreement that references this Exhibit. You may not access or use our Services if you are a competitor, or for the purposes of monitoring availability, performance, or functionality, or for any other benchmarking or competitive purposes.

1. Definitions

Unless defined in the Agreement, all capitalized terms used in this Exhibit shall have the meanings given to them below:

1.1 Agreement: means the written agreement between us and you for the provision of certain Services to which this Exhibit is attached.

1.2 Applicable Data Protection Law: means all applicable laws and binding rules or regulations relating to the protection, privacy, security, or Processing of Personal Data applicable to a Party in connection with its use or provision of the Services, each as amended or replaced from time to time, including without limitation: (i) EU Regulation 2016/679 (“GDPR”), where the Controller is established in a European Economic Area (“EEA”) member state or is otherwise subject to GDPR; (ii) the UK Data Protection Act 2018 (“UK GDPR”); (iii) the revised Swiss Federal Act on Data Protection of 25 September 2020 (“FADP”); and (iv) the California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. along with its implementing regulations, any amendments or replacements to it from time to time (including the California Privacy Rights Act of 2020) (collectively, the “CCPA”).

1.3 Controller: means an individual or entity that alone or jointly determines the purpose and means of Processing Personal Data, including analogous terms under Applicable Data Protection Law.

1.4 Data Subject: means an individual who is the subject of Personal Data. Data subject includes “Consumer” as defined by the CCPA and analogous terms under Applicable Data Protection Law.

1.5 Deidentified Data: means data that cannot reasonably be used to infer information about, or otherwise be linked to, a Data Subject or household.

1.6 Exhibit: means this Data Processing and Security Exhibit.

1.7 Party: means either you or us, and “Parties” means, collectively, you and us.

1.8 Personal Data: means any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes “Personal Information” as defined by the CCPA and analogous terms under Applicable Data Protection Law.

1.9 Processor: means an individual or entity that Processes Personal Data on behalf of a Controller. Processor includes “Service Provider” as defined by the CCPA and analogous terms under Applicable Data Protection Law.  or

1.10 Processing: means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.11 Processor Group: means Processor and any entity which controls, is controlled by, or is under common control with, Processor.

1.12 Service(s): means the products and services contracted by you and made available by us pursuant to the Agreement.

1.13 Service Data: means electronic data, or other materials submitted to and stored within the Service by Controller, its Agents and End-Users, in connection with Controller’s use of such Service, including, without limitation, Personal Data.

1.14 Sub-processor: means any third-party data processor engaged by Processor, including entities from the Processor Group, who receives Personal Data from Processor for processing on behalf of Controller and in accordance with Controller’s instructions (as communicated by Processor) and the terms of its written subcontract.

1.15 Supervisor: means any Data Protection Supervisory Authority with competence over Controller’s and Processor’s Processing of Personal Data.

In addition to the above, any other capitalized terms used but not defined in this Exhibit shall have the meaning set forth in the Agreement.

2. Details of the Processing Activities

2.1 You are the Controller and we are the Processor of Personal Data.

2.2 The Parties have entered the Agreement pursuant to which you are provided a subscription to access and use the Service. In providing the Service, we will engage on your behalf in the Processing of Personal Data submitted to and stored within the Service by you or third parties with whom you transact using the Service.

2.3 The Parties agree that the subject-matter and duration of Processing performed by the Processor under this Exhibit, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be described in Section 13 of this Exhibit and in the Agreement.

3. Ownership of Your Data

3.1 As between the Parties, all Service Data Processed under the terms of this Exhibit and the Agreement shall remain the property of Controller. Under no circumstances will Processor act, or be deemed to act, as a “controller” (or equivalent concept) of the Service Data Processed within the Service under any Applicable Data Protection Law.

4. Obligations of the Processor

4.1 As part of Processor providing the Service to Controller under the Agreement, Processor agrees and declares as follows:

(i) to process Personal Data in accordance with Controller’s documented instructions as set out in the Agreement and this Exhibit or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, Processor shall inform Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws);

(ii) to confirm that all staff and management of any member of the Processor Group are aware of their responsibilities to protect Personal Data in accordance with this Exhibit and have committed themselves to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality;

(iii) to implement and maintain reasonable and appropriate technical and organizational measures to protect Personal Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (a “Data Security Breach”), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to provide a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected;

(iv) to notify Controller, without undue delay and as set forth in the Agreement, in the event of a confirmed Data Security Breach affecting Controller’s Service Data and to cooperate with Controller as reasonably necessary to mitigate or remediate the Data Security Breach, and to provide Controller with the information required under Applicable Data Protection Law, to the extent available to Processor;

(vi) taking into account the nature of the Processing, to assist Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfill Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Controller in the first instance. However, in the event Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Processor, Processor, shall, at Controller’s request and at Controller’s reasonable expense, address the Data Subject Request, as required under the Applicable data Protection Law;

(vii) to assist and cooperate with Controller as reasonably necessary for Controller to comply with its obligations under Applicable Data Protection Law, including with Controller’s obligations regarding data protection impact assessments, data subject requests and complaints related to their rights, and consultations with governmental authorities; and

(x) to appoint an individual who will act as a point of contact for Controller, and coordinate and control compliance with this Exhibit, including the Security Standards detailed in Section 12 hereunder.

4.2 Where required by Applicable Data Protection Law, to the extent Controller discloses or otherwise otherwise makes available Deidentified Data to Processor, or to the extent Processor creates Deidentified Data from Personal Data, Processor shall:

(i) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;

(ii) publicly commit to maintain and use such Deidentified Data in a deidentified form and to not attempt to re-identify the Deidentified Data, except that Processor may attempt to re-identify the data solely for the purpose of determining whether its deidentification processes are compliant with Applicable Data Protection Law; and

(iii) before sharing Deidentified Data with any other party, including Subprocessors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 4.2 of the Exhibit (including imposing this requirement on any further Recipients).

5. Use of Sub-Processors

5.1 Controller agrees that Processor may engage Sub-processors through written agreements to assist it in providing the Service including by Processing Personal Data provided that such Sub-processors:

(i) agree to act only on Processor’s instructions when Processing the Personal Data (which instructions shall be consistent with Controller’s Processing instructions to Processor); and

(ii) agree to protect the Personal Data to a standard consistent with the requirements of this Exhibit, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they Process consistent with the Security Standards described in Section 12 hereunder.

(iii) where Processor contracts with any Sub-processor to Process Personal Data outside the EEA, United Kingdom, or Switzerland, Processor and its Sub-processor shall execute the EU Commission’s Standard Contract Clauses (“EU SCCs”) (using module 3 for “Processor-to-Processor” transfers) implementing Decision EU 2021/914 of 4 June 2021, as amended by the International Data Transfer Addendum to the SCCs version B.1.0 (“UK IDTA”) issued by the United Kingdom’s Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 for transfers from the United Kingdom.

5.2 Processor shall maintain an up-to-date list of the names and location of all Sub-processors used for the Processing of Personal Data under this Exhibit at https://www.complysci.com/gdpr-sub-processors/. Controller may be informed of new sub-processors by visiting this site. In the event Controller objects in good faith to the Processing of its Personal Data by any newly appointed Sub-processor, as described in this section 5.2, it shall immediately inform Processor of its reasons for such objection.  Controller and Processor will use reasonable efforts to determine a way of addressing Controller’s objection without adversely impacting the Processor’s ability to deliver the Services.  If Processor determines that it cannot accommodate Controller’s good faith objection, Processor shall notify Controller of such determination.  Upon receipt of such notice, Controller may terminate the Agreement without penalty or liability (other than for fees due and owing to Processor for Services performed prior to such termination) and such termination which shall be effective immediately upon written notice to Processor; provided the foregoing right of termination shall expire ten (10) days from Processor’s notice of such determination.  Processor shall, within thirty (30) days of its receipt of such termination notice from Controller, refund Controller the unused prorated portion of any prepaid fees for the period following the effective date of termination.

5.3 Controller understands that, for the convenience of Controller, certain Services delivered by Processor may include URLs, links, or other means for connecting to websites controlled by third party (“Third Party Sites”). Controller further understands that its enablement, access to and use of such Third Party Sites is governed solely by the terms and conditions and privacy policies of the third parties that operate such Third Party Sites.  Processor disclaims (a) any endorsement, representations, and/or warranties regarding the Third Party Sites including, without limitation, the content or manner in which they handle any data (including Personal Data) that Controller elects to share with such Third Party Sites (whether directly or indirectly through the Services), and (b) any responsibility or liability for any damage, harm, or loss caused or alleged to be caused by or in connection with Controller’s enablement, access or use of any such Third Party Sites, and/or Controller’s reliance on the privacy practices, data security processes or other policies of such Third Party Sites. For the avoidance of doubt, Third Party Sites are not and shall not be deemed Sub-processors for any purpose under this Exhibit.

6. Audits

6.1 The Parties acknowledge that Processor uses and relies upon third party auditors to verify the adequacy of its security measures related to the Services, including the security of the physical data centers from which Processor Processes Personal Data. Such audits:

(i) will be performed at least annually;

(ii) will be performed according to industry standards;

(iii) will be performed by independent third party security professionals at Processor’s selection and expense; and

(iv) will result in the generation of an audit report affirming that Processor’s data security controls achieve prevailing industry standards (e.g., a SOC1, SOC2 or similar report).

6.2 Processor shall provide responses to Controller’s reasonable requests for information (including any requests by Controller under instruction from Data Subjects), which may include responses to relevant information security and audit questionnaires.

6.3 At Controller’s written request, Processor will provide Controller with a confidential summary of the Report (“Summary Report”) so that Controller can reasonably verify Processor’s compliance with the security and audit obligations under this Exhibit. The Summary Report will constitute Processor’s Confidential Information under the confidentiality provisions of the Agreement.

6.4 In the event that Sections 6.1 and 6.2 are not sufficient to respond to a Supervisory Authority under GDPR, or as otherwise expressly required by Applicable Data Protection Laws,  and upon reasonable advance written notice of not less than thirty (30) days, Processor shall allow for and contribute to audits, including inspections, conducted by Controller or a third party mutually agreed by Processor and Controller, at Controller’s sole and exclusive cost and expense, solely for the purposes of validating Processor’s compliance with Applicable Data Protection Laws. Such audits shall: (a) be limited to once per twelve (12) month period, unless required by Applicable Data Protection Laws; (b) not unreasonably interfere with Processor’s business operations; (c) be conducted during normal business hours; and (d) be subject to reasonable confidentiality obligations and Processor’s security and access policies.

7. International Data Exports

7.1 Controller acknowledges that Processor and its Sub-processors may maintain data processing operations in counties that are outside of the EEA, the United Kingdom, and Switzerland. As such, both Processor and its Sub-processors may Process Personal Data outside of the EEA, the United Kingdom, and Switzerland. This will apply even where Controller has agreed with Processor to host Personal Data in the EEA, United Kingdom, and/or Switzerland if such Processing is necessary to provide support-related or other services requested by Controller.

7.2 Where Processor, either directly or indirectly, Processes Personal Data via onward transfer (a) from the EEA or Switzerland, Controller and Processor agree that such Processing shall be subject to EU SCCs (using module 2 for “Controller-to-Processor” transfers) located at: www.complysci.com/comply-eu-sccs-0323.pdf  and incorporated by this reference, and (b) where such transfers are from the United Kingdom, such EU SCCs shall be amended by the UK IDTA located at: www.complysci.com/comply-uk-idta-0323.pdf and incorporated by this reference.7.3 With regards to transfers of Personal Data subject to the FADP where 7.2(a) applies, the Parties agree that: (a) general and specific references in the Standard Contractual Clauses to the “EU GDPR”, “Union”, “EU” or “Member State” Law will hereby be deemed to have the same meaning as the equivalent reference in the FADP; (b) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established will hereby be deemed to refer to an obligation under the FADP; (c) the competent supervisory authority is the Switzerland Federal Data Protection and Information Commissioner; and (d) the term “EU Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of bringing legal proceedings against the data exporter and/or data importer before the courts of Switzerland.

8. Obligations of the Controller

As part of Controller receiving the Service under the Agreement, Controller agrees and declares as follows:

8.1 It is solely responsible for the accuracy of Personal Data, the means by which such Personal Data is acquired, and the Processing of Personal Data by Controller, including instructing Processing by Processor in accordance with this Exhibit for the purposes of provision of the Service and in accordance with all the relevant provisions of the Applicable Data Protection Law, particularly with respect to the security, protection and disclosure of Personal Data;

8.2 That if Processing by Processor involves any “special” or “sensitive” categories of Personal Data (as defined under Applicable Data Protection law), Controller has collected such Personal Data in accordance with Applicable Data Protection Law;

8.3 The Controller will inform its Data Subjects:

(i) about its use of Processors to Process their Personal Data, including the Processor; and

(ii) that their Personal Data may be Processed outside of the EEA, United Kingdom, or Switzerland;

8.4 that it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by Controller, and to give appropriate instructions to Processor in a timely manner; and

8.5 that it shall respond in a reasonable time to enquiries from a Supervisor regarding the Processing of relevant Personal Data by Controller.

9. CCPA Compliance

9.1 With respect to any “personal information” (as defined in the CCPA) provided by you (“Personal Information”) and Processed by us pursuant to the Agreement, such Processing shall be subject to the CCPA.  We shall act as a “service provider” (as defined under CCPA) to you with respect to such Processing.

9.2 We agree not to use, Share (as defined in the CCPA), or Sell (as defined in the CCPA) any Personal Information (including such Personal Information pertaining to your Authorized Users) other than to provide the Services, as authorized by the Agreement, within the direct business relationship between the Parties.

9.3 We will not Sell (as defined in the CCPA) any Personal Information (including such Personal Information pertaining to your Authorized Users).

9.4 We will not combine Personal Information with other information that we receive from or on behalf of any other third party or our interactions with individuals, provided that we may so combine Personal Information for a specified business purpose if directed to do so by you or as otherwise permitted by the CCPA.

9.5 The Parties acknowledge and agree that the provision of any Services by us to you are for your Business Purposes.

9.6 We will direct any individual requesting to exercise their rights under the CCPA to submit their request directly to you by contacting you.

9.7 We shall comply with our applicable obligations under the CCPA and provide the level of privacy protection for Personal Information as is required under the CCPA.

9.8 You shall have the right to take reasonable and appropriate steps to: (i) ensure that the Personal Information transferred to us is used by us in a manner that is consistent with the CCPA; and (ii) stop and remediate any unauthorized use by us of Personal information; and, we agree to reasonably co-operate with you exercise of the aforementioned rights.

9.9 We shall promptly notify you in writing if at any time we make a determination that we can no longer meet our obligations regarding CCPA compliance under this Exhibit.

10. Return and Destruction of Your Data

10.1 Upon termination of the Services and/or the Agreement, whichever comes earlier, and otherwise in compliance with Applicable Data Protection Law, Processor shall, at the Controller’s election, delete or return from Controller’s production environment for the Services, all copies of the Service Data stored or Processed by Processor on behalf of Controller.

11. Duration

11.1 This Exhibit will remain in force as long as Processor Processes Personal Data on behalf of Controller under the Agreement.

12. Security Standards

12.1 As of the Effective Date of the Agreement, we, when Processing Personal Data on behalf of you in connection with the Service, shall implement and maintain the following technical and organizational security measures for the Processing of such Personal Data (“Security Standards”):

(i) Physical Access Controls: We shall take reasonable measures to prevent physical access, such as by securing buildings and premises, to prevent unauthorized persons from gaining access to Personal Data, and to ensure Third Parties operating data centers on its behalf are adhering to such controls.

(ii) System Access Controls: We shall take reasonable measures to prevent Personal Data from being used without authorization. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or logging of access on several levels.

(iii) Data Access Controls: We shall take reasonable measures to provide that Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege to access; and that Personal Data cannot be read, copied, modified or removed without authorization in the course of Processing.

(iv) Transmission Controls: We shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

(v) Input Controls: We shall take reasonable measures to provide that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified or removed. We shall take reasonable measures to ensure that (i) the Personal Data source is under your control; and (ii) Personal Data integrated into the Platform is managed by secured transmission from you.

(vi) Data Backup: Back-ups of the databases in the Platform are taken on a regular basis, are secured, and encrypted to ensure that Personal Data is protected against accidental destruction or loss when hosted by us.

(vii) Logical Separation: Data from different subscriber environments is logically segregated on our systems to ensure that Personal Data that is collected for different purposes may be processed separately.

13. GDPR Service Data Information

Updated: November 4, 2025

Prior Update: March 2, 2023